Adding a new member to a Check Point FW1/Security Gateway cluster/vap-group

Article Id: 167832
Status: Published
Updated On: 13-05-2017 10:51
Legacy Id: TECH243830
Products:
XOS
Issue/Introduction:

This article describes how to add a new VAP member to an existing Check Point cluster with minimal downtime.This article describes how to add a new VAP member to an existing Check Point cluster with minimal downtime.

Cause:

Goal: To increase the VAP count of a Checkpoint Firewall-1 VAP group and add the new blade with minimal downtime.  

The following circuit definitions exist on the X-Series prior to configuring for increased vap-count:

circuit mgmt
  device-name mgmt
  vap-group fw
    ip 192.168.9.1/24 increment-per-vap 192.168.9.2
#
circuit intranet
  device-name inta
  vap-group fw
    ip 10.2.2.1/24
#
circuit sync
  device-name sync
  link-state-resistant
  vap-group fw
    ip 192.168.6.1/28 increment-per-vap 192.168.6.2
#
circuit internet
  device-name internet
  vap-group fw
    default-egress-vlan-tag 102
    ip 10.5.5.1/24

Note:  A brief outage will be incurred when you enable state synchronization on both cluster members and restart the firewall process for the change to take effect.


Resolution:

Increase the VAP Count

1. Extend the IP ranges for the mgmt and sync circuits:

CBS# configure circuit mgmt vap-group fw ip 192.168.9.1/24 increment-per-vap 192.168.9.3
CBS# configure circuit sync vap-group fw ip 192.168.6.1/24 increment-per-vap 192.168.6.3

2. Increase the vap-count:

CBS# configure vap-group fw vap-count 3
Adjusting vap-count.  May take several minutes.......

3. Adjust the load-balance-vap-list so it only includes members 1 and 2:

CBS# configure vap-group fw load-balance-vap-list 1 2

Install the Application on New Member

1. Run the application update command to install the application on the new vap-group member:

CBS# application-update vap-group fw

2. You will then see a message stating you need to reload the new vap ****DO NOT RELOAD THIS AT THIS TIME***

Load the New Member

1. You can now safely change the max-load-count of the fw vap-group to 3 to bring up the new member:

CBS# configure vap-group fw max-load-count 3

Integrate the New Member

1. Once the APM has rebooted, open SmartDashboard and add the new member to the cluster.

2. If you have installed any hotfixes on the existing cluster members, apply the same hotfixes on the new gateway so it runs the same revision. Here is an example for an HFA:

a. Change to the Unix prompt:

CBS# unix su

b. Copy the HFA file to fw_3:

[[email protected] admin]# cp <HFA-filename> /tftpboot/fw_3/tmp

c. Rsh to the new VAP member and install the hotfix:

[[email protected] admin]# rsh fw_3
fw_3 (cbs): root$ cd /tmp
fw_3 (cbs): tmp$ tar xvzf <HFA-filename>
fw_3 (cbs): tmp$ ./UnixInstallScript

At the end you will see a message telling you to reboot. DO NOT REBOOT AT THIS TIME.

3. Exit to the CLI and reboot the NEW APM ONLY. The following example assumes fw_3 runs on an APM in slot 12:

CBS# show ap-vap-mapping
CBS# reload module 12

4. You can now add the new member to the load-balance-vap-list:

CBS# configure vap-group fw load-balance-vap-list 1 2 3

Finally, verify the HA status on each cluster member:

[[email protected] admin]# rsh fw_1
fw_1(cbs): root$ cphaprob stat
fw_1(cbs): root$ exit
[[email protected] admin]# rsh fw_2
fw_2(cbs): root$ cphaprob stat
fw_2(cbs): root$ exit
[[email protected] admin]# rsh fw_3
fw_3(cbs): root$ cphaprob stat
fw_3(cbs): root$ exit

Workaround

N/A